Improve company productivity with a Business Account.Sign Up


Windows 2003 user password problem

Posted on 2006-06-29
Medium Priority
Last Modified: 2008-08-18
We have some users that are in remote offices connected via a VPN client (cisco). I've noticed that they will get their 60 day domain password change notice, and once t hey do that, it seems that their machine password doesn't sync, and the password is completely off.

Is there a certain way everyone deals with this?
Question by:shankshank

Expert Comment

ID: 17013093
Passwords fail to synchronize in a Windows domain, seemingly at random

Cause:  Password Synchronization is not configured identically on all domain controllers in the domain. As a result, if a nonconforming domain controller accepts a user's password change, it might not be able to change the password on UNIX computers.

Solution:  Ensure that Password Synchronization is configured identically on all domain controllers, particularly host settings and default settings for encryption keys and ports.


Author Comment

ID: 17013143
That's not it since we can change while physically on the network with no problem

its the vpn that screws up


Accepted Solution

napoleon41 earned 672 total points
ID: 17014093
Are the remote computers members of the domain?  We had some problem with profiles and various mapping/logon scripts until we remove the remote computers from the domain.  Granted, a lot more stuff has to be configured manually, but we have small group of people working remotely (transcriptionists mostely).  

Now, we hook our users up with our SSL vpn gateway and have then rdp onto a terminal server.  Bye, bye remote issues.  Just food for thought. (            note:  they have a free edition because they built it on linux.  I love open source).
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!


Assisted Solution

engineer_dell earned 664 total points
ID: 17014566
Two things I would try, first look for any cached passwords relating to your server on their remote machine.
Control Panel --> Users --> Advanced --> Manage passwords

Also you may want to edit the host and the lmhost files so that they have entries for your server.

A VPN router running Windows Server 2003 supports the logging of authentication and accounting information for VPN connections in local logging files when Windows authentication or Windows accounting is enabled. This logging is separate from the events recorded in the system event log. You can use the information that is logged to track site-to-site connection usage and authentication attempts. Authentication and accounting logging is especially useful for troubleshooting remote access policy issues. For each authentication attempt, the name of the remote access policy that either accepted or rejected the connection attempt is recorded.

The authentication and accounting information is stored in a configurable log file or files stored in the SystemRoot\System32\LogFiles folder. The log files are saved in Internet Authentication Service (IAS) or database-compatible format, meaning that any database program can read the log file directly for analysis.

If the VPN router is configured for RADIUS authentication and accounting and the RADIUS server is a computer running Windows Server 2003 and IAS, the authentication and accounting logs are stored in the SystemRoot\System32\LogFiles folder on the IAS server computer.


Assisted Solution

ssmith764 earned 664 total points
ID: 17071920

I may be barking up the wrong tree here but is the VPN a permanent connection from the remote office or do the users start the connection from their machines? The reason I ask is if the users are not actually logging in to the domain but are logging in to their machine with cached credentials and THEN starting the vpn connection, when they change their passwords over the vpn the cached password on their machine will not be changed.

Expert Comment

ID: 17073429
That's good thinking ssmith764.  I have never actually used the VPN "client" in a situation where the remote computer is a member of the domain.  Computers using the VPN client are not members of the domain.

All of our full-time remote users are LAN-to-LAN where they are on a permanent tunnel with a router/pix501 at their house to provide the tunneling to the concentrator on site.  To those computers, the VPN is transparent and they might as well be jacked into a switch on site.  Computer/User security policies are slower (their login time slower), but everything else works fine.

Obviously that requires some ACL rules to prevent their Internet traffic from pulling through the VPN, and for security issues, we have chosen to deny their "company provided computer" from accessing the Internet.  We have, though, setup rules to give their personal computer(s) access to the Internet and deny them from the VPN.  Usually this is done by giving the company computer a static IP address and then providing a DHCP pool for their personal computers.

Security, security, security.


Author Comment

ID: 17266244
Smith: The vpn connection is not a permanent connection, but a vpn client run after the user logs in.
napoleon: I am curious on your topic of the router/pix501 setup, and not having the users ability to access the net through vpn. I wouldn't mind implementing a setup like that for me so that these vpn clients can access our network fine, but internet traffic goes through their cable modem or isp instead of through the vpn


Expert Comment

ID: 17266933
Basically, there is a pix501 (or a soho) router at their house that is the first device in the chain from their Internet connection.  The Pix controlls the Internet connection and access, and maintains a more or less permanent VPN connection with the Cisco Concentrator (used to use a PIX though) at the hospital.  This type of connection is called a Lan-to-Lan VPN.

The pix501 hands out a dhcp address, subnet mask, and default gateway to them and contains routing information.  

Hospital Network -
Remote user's home network -

For security and functions, we configure various ACL's (access control lists) and/or routing statement that direct the user's traffic.  If the destination is a 172.16 address, the 501 forwards the traffic down the VPN.  Any Internet traffic is sent out their Internet connection (and not the hospitals), and any local traffic is kept in their local network (printer, home network, XBOX, etc . . . ).  Usually, we statically assign their "company computer's" IP address and only allow that station access to the VPN.  

All of our VPN's use IPSEC, but with Cisco devices, you can pretty much do anything you want.

Diagrams and descriptions of how to setup to PIX firewalls for a LAN-to-LAN VPN using the PDM (gui) interface.  It covers the basics without getting into the command line cisco.  I have found it difficult to use only the PDM, though, and end up doing most of my configurations of ANY major network device through the command line interface.  But, hey!  This one has pictures.  Ha!

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question